Connolly bill would compel agencies to comply with FedRAMP
With more federal agencies moving to the cloud, Rep. Gerry Connolly, D-Va., wants to compel them to use the Federal Risk and Authorization Management Program to authorize they’re secure in getting there.
Connolly introduced the FedRAMP Reform Act of 2018 on Thursday, requiring federal agencies to report their compliance with the cloud authorization program. The bill also aims to streamline the FedRAMP process.
“Despite its best efforts, the Federal Risk and Authorization Management Program continues to suffer from a lack of agency buy-in, a lack of metrics and duplicative processes that have resulted in a lengthy and costly authorization process for cloud service providers,” Connolly said in a statement. “The FedRAMP Reform Act clarifies the responsibilities of federal and private sector stakeholders, establishes a process for metrics so Congress can evaluate the progress of the program and provides FedRAMP customers with the certainty and process reforms they have long sought.”
Established six years ago to standardize the security assessments of cloud service providers looking to sell to federal agencies, FedRAMP has seen growth. However, it maintains a somewhat rocky relationship with some federal and industry leaders and lawmakers.
Part of the issue comes from the time and cost for vendors to obtain an authority to operate. To assuage those concerns, FedRAMP officials have launched a series of initiatives in the past year to streamline the ATO process, including FedRAMP Tailored.
The bill provides a carrot to both agencies and industry, requiring the program to issue metrics to track “the time, cost and quality of the assessments” of the ATO process. It also directs the Office of Management and Budget and the General Services Administration — which houses FedRAMP — to submit an annual report to Congress detailing the FedRAMP program management office’s performance and status on meeting the metrics.
The legislation offers some proverbial sticks for agencies as well. It codifies the program and requires agencies to comply with FedRAMP requirements for cloud services adoption. Agencies would also have to report their ATOs to the FedRAMP PMO, which would track and assess the authorizations governmentwide, something it already does.
To help streamline FedRAMP as a process, the bill also seeks to eliminate duplication in the security assessments offered by the program’s Joint Authorization Board by deeming any provisional authorization it awards adequate by agencies unless they document otherwise.
The bill also encourages FedRAMP to pursue automation technology to streamline the ATO process, a path program officials have been pursuing since last year.
Connolly, known as a watchdog for federal IT, particularly around data center consolidation and acquisition, is a longtime critic of FedRAMP.